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Legal Uncertainty and Harmonization 


ox" 4 Legal representative (Art. 7 Regulation and Arts. 
1,2,3 Directive) 


It is presumed that legal representatives are established in a separate legal 
instrument in order to ensure that they are the applicable addressee not only for 
EPOC(-PR)s, but also for other instruments available under domestic law. This 
adds an unnecessary layer of confusion and we continue to advocate converting 
the Directive to a Regulation or a separate Regulation as a more appropriate 
legal instrument. 


The clause allowing national authorities to address service providers established 
on their territory contradicts the stated goal to simplify and harmonise the point of 
contact. This may be appropriate where service providers are only established in 
that Member State, it does not make sense for international service providers. 


We believes that EPOC(-PR)s or other Union-level instruments should be the 
only instruments used in a cross-border context. 


Authorities should not be allowed to address any establishment of a service 
provider when the legal representative does not comply with an EPOC(-PR). 
Authorities should not be permitted to go forum shopping for a less 
knowledgeable branch of the same service provider simply because the 
representative did not comply. The only circumstance this should apply where 
the legal representative does not respond in the allotted time in emergency 
cases. Entities that do not have possession and control over the information 
sought should only be responsible for forwarding the request to the 
establishment of the provider that does have possession. 


Liability for non-compliance should be applied to the service provider or other 
legal entity and not the identified legal representative. It should be clear that the 
natural person cannot be held personally liable for pecuniary sanctions. 


ows" 4  GDPR main establishment analysis 


The GDPR’s ‘lead supervisory authority’ mechanism ensures that in cases of 
cross-border data processing, a single Member State’s data protection authority 
(DPA) has primary oversight of that processing. However, the Directive could 
inadvertently impact and create confusion around this important measure. 
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Under the Directive, legal representatives must have the authority to receive, 
comply with and enforce Member State decisions and orders issued for the 
purpose of gathering evidence in criminal proceedings.’ It is unclear what this 
obligation requires in practice or how it intersects with the GDPR’s main 
establishment test. 


This issue will be particularly acute for service providers whose current main 
establishment is in Ireland, because those providers will be required to locate at 
least one legal representative outside of Ireland, as long as Ireland continues not 
to participate in the EIO Directive. 


We propose adding language to the Directive to clarify that the requirement for 
the legal representative to have ‘powers and resources’ is satisfied so long as the 
legal representative can accept and process orders served under EU instruments 
and can disclose data in response to those orders, but need not be the locus of 
decision-making authority as to whether an order is lawful, and/or should be 
complied with. 


We welcome the Council’s text which amends Recital 15 stating: ‘The sole 
designation of a legal representative should not be considered to constitute an 
establishment of the service provider.’ If there is no establishment, there cannot 
be a ‘main establishment’ and it arguably follows that the ‘sole designation’ of a 
legal representative likewise should not be indicative of a main establishment 
under the GDPR. It could also be interpreted to mean that the mere act of 
designating a legal representative does not create an establishment, without 
bearing on the question of whether an establishment exists after that 
representative is vested with the ‘powers and resources’. Moreover, the recital 
language is non-binding, hence it remains possible under the Directive that a 
court would hold that the powers vested in a legal representative does constitute 
an ‘establishment’ in relation to the relevant processing. 


Double criminality 


We support harmonisation in this field, which will be particularly helpful for our 
SME members. The EIO contains a list of crimes to which an EIO can be 
submitted. 


However, from a legal certainty perspective it would be beneficial to include a 
reference as to what some of these crimes mean, in particular when they contain 
a definition at EU level. For example, the EIO list contains ‘computer-related 
crimes’: the EU has a Directive on attacks against information systems, so the 
definitions should be aligned across the legal instruments. 
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úa Alberto Di Felice 


Senior Policy Manager for Infrastructure, Privacy and Security 
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About DIGITALEUROPE 

DIGITALEUROPE represents the digital technology industry in Europe. Our members include 
some of the world’s largest IT, telecoms and consumer electronics companies and national 
associations from every part of Europe. DIGITALEUROPE wants European businesses and 
citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the 
world’s best digital technology companies. DIGITALEUROPE ensures industry participation in 
the development and implementation of EU policies. 
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Corporate Members 


Airbus, Amazon, AMD, Apple, Arçelik, Bosch, Bose, Bristol-Myers Squibb, Brother, Canon, Cisco, DATEV, 
Dell, Dropbox, Epson, Ericsson, Facebook, Fujitsu, Google, Hewlett Packard Enterprise, Hitachi, HP Inc., 
HSBC, Huawei, Intel, Johnson & Johnson, JVC Kenwood Group, Konica Minolta, Kyocera, Lenovo, 
Lexmark, LG Electronics, Loewe, MasterCard, METRO, Microsoft, Mitsubishi Electric Europe, Motorola 
Solutions, MSD Europe Inc., NEC, Nokia, Nvidia Ltd., Océ, Oki, Oracle, Palo Alto Networks, Panasonic 
Europe, Philips, Pioneer, Qualcomm, Ricoh Europe PLC, Rockwell Automation, Samsung, SAP, SAS, 
Schneider Electric, Sharp Electronics, Siemens, Siemens Healthineers, Sony, Swatch Group, Tata 
Consultancy Services, Technicolor, Texas Instruments, Toshiba, TP Vision, Visa, VMware, Xerox. 


National Trade Associations 


Austria: |OO Germany: BITKOM, ZVEI Slovakia: ITAS 
Belarus: INFOPARK Greece: SEPE Slovenia: GZS 
Belgium: AGORIA Hungary: IVSZ Spain: AMETIC 


Bulgaria: BAIT 

Croatia: Croatian 
Chamber of Economy 
Cyprus: CITEA 

Denmark: DI Digital, IT 
BRANCHEN 

Estonia: ITL 

Finland: TIF 

France: AFNUM, Syntec 
Numérique, Tech in France 


Ireland: Technology Ireland 
Italy: Anitec-Assinform 
Lithuania: INFOBALT 
Luxembourg: APSI 
Netherlands: Nederland ICT, 
FIAR 

Norway: Abelia 

Poland: KIGEIT, PIIT, ZIPSEE 
Portugal: AGEFE 

Romania: ANIS, APDETIC 


Sweden: Foreningen 
Teknikféretagen i Sverige, 
IT&Telekomf6retagen 
Switzerland: SWICO 

Turkey: Digital Turkey Platform, 
ECID 

Ukraine: IT UKRAINE 

United Kingdom: techUK 


